Career Center

The Role

The CISO serves as a member of the CIO's senior leadership team and serves as the University's subject matter expert and internal consultative resource on technology security for the University's global network and the integrity and safety of the University's significant intellectual property and research assets.

The CISO will set the strategic roadmap for the University technology security initiatives directly impacting 20,000+ computers, over 60,000 technology users on the NYU NYC campus, as well as computers and staff at 2 global campuses and 14+ global sites.

The CISO is accountable to the CIO, the EVP, and where appropriate, the University Board of Trustees, for developing and implementing strategic and operational plans for the University wide technology security programs and initiatives. The CISO must carefully balance such proactive efforts while ensuring appropriate cost and minimal organizational risk, including potential damage to intellectual assets and unfavorable public relations consequences.

Scope and Responsibilities

With NYU senior leadership, the Chief Information Security Officer (CISO) will lead the development and implementation of an information security strategy and program for the University. They will plan and execute University wide technology security initiatives; create and maintain security policy in coordination with the Information Security Advisory Group (ISAG) and NYU IT Policy and Compliance; lead security assessment efforts; lead security risk assessment efforts; direct, advise and collaborate with NYU units on secure system development life cycle, and cyber security protection programs appropriate to risks, business continuity & disaster recovery plans, and audit & governmental compliance practices; direct security operations of the Office of Information Security group. The CISO communicates cyber security risks, issues and program status to University leadership and the NYU community as directed.

As the University's subject-matter expert in the technology security space, the incumbent will have the decision-making authority and signatory responsibility for $5+ million to recommend comprehensive solutions at the University level that will mitigate risk, protect intellectual capital, respond appropriately to security breaches or similar adverse issues, both for long-term critical response planning and nimbly in response to emerging threats that require more immediate and creative problem-solving.

The role is responsible for leading a team of approximately 20 people. The CISO will also regularly interact with the University leadership, senior IT leadership, and where appropriate, the University Board of Trustees. Interactions will also include the Office of General Counsel, Public Safety, Emergency Management, HIPAA Security Officer (CIO), HIPAA Privacy Officer (EVP), outside agencies (including governmental agencies), vendors, NYU IT managers, faculty and researchers, business unit senior managers, and NYU Medical Center.

Specific Responsibilities:

Global Security Program (35%)

Serve as an expert advisor to NYU senior management in the development and implementation of a comprehensive, risk based institutional and global security program.

• Work closely with senior administration, academic leaders, and the campus community to determine, identify key security program elements and determine which NYU departments or offices need to be involved in building a comprehensive information security program.


• Convene and coordinate activities of the NYU Information Security Advisory Group (ISAG).


• Provide guidance and advocacy regarding prioritization of infrastructure investments that affect security.


• Foster a collaborative approach to IT security efforts across the global components of NYU.


• Serve as security technology expert to University portal campuses, sites, schools, and departments by providing information and guidance regarding improved security needs.


• Consult with University and department administrators to understand unique requirements and recommend security approaches and improvements.


• Track industry and higher education developments and best practices to maintain a thorough understanding of current and future directions, systems, applications, and data security techniques for instructional, research and administrative needs, and select security technology appropriate to meet needs.


• Establish annual and long-range security and compliance goals, define security strategies, metrics, reporting mechanisms and program services; and create a roadmap for continual program improvements.


• Ensure broad communication to the NYU community about threats and measures to protect data and systems.


• Create consistency in risk reporting for the University Audit Committee and ISAG.

Risk Assessment Program (25%)

Develop and maintain an ongoing risk assessment program for NYU IT's information, data and technology assets.

• Research and report on information security threat profiles and system vulnerabilities.


• Recommend appropriate technical controls or other actions to mitigate risks; conduct tests of information security controls.


• Ensure mitigation strategies are aligned appropriately with the priorities and mission of the University.


• Determine security impact of implementation of new University systems, review software proposals from vendors, and develop installation schedule and priorities for most secure outcome.


• Propose and oversee the portfolio of IT investments in support of the University security program.

Information Systems and Data Protection (20%)

Direct all protection of information systems and data using technology security measures and techniques appropriate to current and evolving technology.

• Develop and implement security policies that are in compliance with federal & other statutes, and University policy.


• Develop and oversee mechanisms to ensure compliance with these policies.


• Develop short- and long-term strategic planning for the rapidly changing technical security field.


• Advise NYU and NYU IT on effective technology security approaches.


• Make recommendations regarding new services and procedures so as to maintain and continuously improve data and system security throughout the University.


• Make recommendations regarding outsourcing of program components, as needed.

Security Incident Management (15%)

Develop strategies to handle security incidents; coordinate the incident response process and investigation resulting from these incidents.

• Lead efforts to internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the University's information and technology systems.


• Determine appropriate and effective response to technology security breaches affecting the University.


• Supervise investigation of security breaches and assist with disciplinary and legal matters associated with such breaches as necessary.


• Maintain relationships with local, state and federal law enforcement and other government agencies.


• Work with Internal Audit and outside consultants as appropriate on required security audits.


• Adhere to all policies regarding investigation practices.

Team Leadership (5%)

Oversee a team of technology security professionals and other technology security consultants as needed.

• Provide mentoring and training to these individuals and distributed security staff across the University.


• Determine staffing needs including hiring, training, and evaluating performance.


• Identify and prioritize assignments to ensure deadlines are met and review work for accuracy.

Key Selection Criteria

• 10+ years progressively responsible experience with complex and technology security systems and issues (required).


• The CISO must not only have a strong command of technology security protocols, best practices, and risk mitigation, but must have the ability to provide sound, practical technical and business solutions to highly complex and varying stakeholder needs (including, but not limited to, faculty, researchers, students, and staff, and their respective academic/work products).


• Demonstrated ability to deliver security solutions that meet organizational needs. Experience creating a security program, using a security framework.


• Demonstrated ability to create new models for virtual security teams that include stakeholder departments in a collaborative model.


• Strong team leadership skills. Strong at hiring, mentoring, and developing staff to create a strong people and team-oriented culture.


• Ability to identify critical business risks related to information security and advises senior leadership on risk acceptance and mitigation strategies.


• Demonstrated ability to influence key stakeholders, and successfully manage risk, change and innovation.


• Excellent organizational, communication, and problem-solving skills. Experience communicating complex subjects to executives.


• Proven ability to measure, report, and publicly communicate complex security decisions, situations, and impacts.


• Ability to work and effectively prioritize in a highly dynamic decentralized work environment.


• Must be well versed in quality data collection to ensure adequacy, accuracy and legitimacy of data in NYU systems and be able to strictly follow data privacy and security procedures for data handling and analysis to ensure adherence to legal and institutional standards.


• Must be familiar with security compliance requirements, such as PCI, FERPA, HIPAA, Sarbanes-Oxley, and Gramm-Leach-Bliley and with ISO 27001 and NIST 800-53, and emerging security standards for restricted and sensitive data.


• Must have 5+ years' experience managing technical staff.


• Bachelor's degree is required; a Master's degree in Cyber Security or IT Risk Management preferred.

NYU aims to be among the greenest urban campuses in the country and carbon neutral by 2040. Learn more at nyu.edu/nyugreen.

EOE/AA/Minorities/Females/Vet/Disabled/Sexual Orientation/Gender Identity

PI178517946